-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:066 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nss Date : March 20, 2014 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in mozilla NSS: In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2 (CVE-2014-1492). The updated packages have been upgraded to the latest NSPR (4.10.4) and NSS (3.16) versions which is not vulnerable to this issue. Additionally the rootcerts package has also been updated to version 1.97, which adds, removes, and distrusts several certificates. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes https://bugzilla.mozilla.org/show_bug.cgi?id=903885 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 8738aaf947b7c6c0fa8287b0f96b8ddc mes5/i586/libnspr4-4.10.4-0.1mdvmes5.2.i586.rpm 1ac8455fe46e3f7bcec09a6f87f1720a mes5/i586/libnspr-devel-4.10.4-0.1mdvmes5.2.i586.rpm 3bc5399622a54a2e5f6803502a82b19f mes5/i586/libnss3-3.16.0-0.1mdvmes5.2.i586.rpm ea7bfa46a2882105f2cfe0a26e42b1ea mes5/i586/libnss-devel-3.16.0-0.1mdvmes5.2.i586.rpm 9cd3708423846d3f82db60151e14a467 mes5/i586/libnss-static-devel-3.16.0-0.1mdvmes5.2.i586.rpm 2e2a82c9a95b050b7de739a1c1beffc2 mes5/i586/nss-3.16.0-0.1mdvmes5.2.i586.rpm 98b4c278fd3c9d7087297326eff87b6a mes5/i586/nss-doc-3.16.0-0.1mdvmes5.2.i586.rpm ed3ff055035453d23157578988d3c49e mes5/i586/rootcerts-20140318.00-1mdvmes5.2.i586.rpm be1ef91bcd1e6d8b351c03b17ece1c39 mes5/i586/rootcerts-java-20140318.00-1mdvmes5.2.i586.rpm bf65eeba97981710fad16238c21da263 mes5/SRPMS/nspr-4.10.4-0.1mdvmes5.2.src.rpm 4154b4793f9b606d208d92b5907b43f0 mes5/SRPMS/nss-3.16.0-0.1mdvmes5.2.src.rpm 6db90539b764add06aaef701dea833ac mes5/SRPMS/rootcerts-20140318.00-1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 8c3517a3a0ef0116fcf2f61d52c4a525 mes5/x86_64/lib64nspr4-4.10.4-0.1mdvmes5.2.x86_64.rpm a00da7fecfe9ece4f1bdbd354207e8a5 mes5/x86_64/lib64nspr-devel-4.10.4-0.1mdvmes5.2.x86_64.rpm d77190996863e11f7e9dc1a922478f5b mes5/x86_64/lib64nss3-3.16.0-0.1mdvmes5.2.x86_64.rpm f600a5d968cd472173dc296f15b9ee84 mes5/x86_64/lib64nss-devel-3.16.0-0.1mdvmes5.2.x86_64.rpm 0d7bcc34e999d5ec7c9e78a9c2cd01ba mes5/x86_64/lib64nss-static-devel-3.16.0-0.1mdvmes5.2.x86_64.rpm 98b6d5589ec58f9eca1e7f928f52d7dc mes5/x86_64/nss-3.16.0-0.1mdvmes5.2.x86_64.rpm f99edb8b077c1b0486317f1a73b5fd4a mes5/x86_64/nss-doc-3.16.0-0.1mdvmes5.2.x86_64.rpm 5e3cafa689a4138db3bf4cca24562f28 mes5/x86_64/rootcerts-20140318.00-1mdvmes5.2.x86_64.rpm 8f9f11c3d2049912aec0097e5c33c287 mes5/x86_64/rootcerts-java-20140318.00-1mdvmes5.2.x86_64.rpm bf65eeba97981710fad16238c21da263 mes5/SRPMS/nspr-4.10.4-0.1mdvmes5.2.src.rpm 4154b4793f9b606d208d92b5907b43f0 mes5/SRPMS/nss-3.16.0-0.1mdvmes5.2.src.rpm 6db90539b764add06aaef701dea833ac mes5/SRPMS/rootcerts-20140318.00-1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTKxT3mqjQ0CJFipgRAo4BAKCuBFcWolEbqGdUVwaVYTumVyeYFQCgz86O uqAZHLu9OH0gxVEblX+eoh0= =N99Y -----END PGP SIGNATURE-----